Does Your Small Business Practice Secure Email?

Email mistakes happen, and they happen to all of us. Who can truly say that they have never replied to all instead of to an individual, accidentally selected the wrong auto-fill email address, mistakenly included confidential personal information in an email, or made a typo that completely changed (for the worse!) the meaning of the message.

How are you accepting payments?

According to a recent SilverSky study, just about everyone can say it, but that doesn’t actually make it true. The report found that 98% of employees surveyed thought that their email habits were as secure as or more secure than their colleagues. The survey also found that 53% of respondents claim to have received sensitive private information in unencrypted emails, but only 17% admit to sending such emails. What gives? Perception vs. Reality, according to the study authors, as depicted in this infographic comparing bad email habits to bad driving habits. (Click the image for a larger, full version of the infographic.)

Why the concern about email? Just think back to the Sony hack and resulting leaks for an example of what happens when supposedly “private” emails get exposed. Additionally, since email lives in so many places– on the sender’s computer, on corporate email servers, on Internet Service Provider’s (ISP) servers, on email service provider servers (for the sender and the receiver), on the receiver’s corporate email servers, and on the receiver’s computer– it makes for quite a number of potential breach targets!

The key to implementing a secure email policy for your small business is to remember that even though email may seem like a private means of communication, it is NOT. Assume that any email can be read by anyone, and can never be deleted. With that premise, create a set of guidelines for yourself, and for your team, to clearly document the type of information can be safely transmitted via standard email, and how to securely send email if confidential information must be included in it.

While it is near impossible to create policies and procedures that prevent people from writing dumb and embarrassing email messages, the following tips will help you prevent email-based data security breaches:

Never include bank account numbers or credit card numbers, or copies of voided or cancelled checks, in the email body, or send unencrypted attachments that include this information.

Never include a social security number in the email body, or send unencrypted attachments that include social security numbers.

Never send a non-temporary password in an email, even if the User ID is not included.

It is ok to send a User ID via email, as long as there is not an associated password (even a temporary one) included in the email.

Never send confidential company information via unencrypted email, whether it is in the email body or in the attachment.

If you do need to email PII (Personally identifiable information, such as a social security number), or you need to email confidential documents such as those containing your business plans, financial data, or intellectual property, be sure to use some form of encryption.

For attachments, you can encrypt and password protect the files themselves using free software such as 7-zip. Just don’t include the password for the attachment in the same email. Best is to call or text it to the recipient.

Alternately, you can send a secure email that will encrypt your entire message, including the email body and any attachments. There are many options available for small businesses of any size. If your company uses Outlook, consider Microsoft Office 365 Message Encryption. Internet security companies such as Sophos, TrendMicro, and Symantec also provide encrypted email solutions. Read this post for a review of 10 email encryption software offerings.

Don’t let your small business fall victim to a data breach due to insecure email practices. Make sure that you create a clear, easy to follow, secure email procedure for your small business. And, make sure that everyone on your team both understands it, and follows it. That’s the best way to protect your company, and your customers.

My name is Lisa, and I'm the Vice President of Knowledge, responsible for the management of corporate, product, competitor, marketplace, legal, and regulatory knowledge, and creation and dissemination of knowledge tools using these assets to PaySimple prospects, customers, employees, and partners.